THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark: Extract hex data for whole frame along with epoch time with microseconds/nanoseconds precision

Is there a way to extract the whole frame hex dump using tshark with epoch time?

I am able to run following command which provides me both of the fields (i.e. frame_raw and frame.time_epoch) I need:

tshark -r <pcapng_path> -x -T json -j "frame"

However, I would like to use something like below:

tshark -r <pcapng_path> -x -T ek -e frame.time_epoch -e raw

OR

tshark -r <pcapng_path> -x -T ek -e frame.time_epoch -e frame_raw
left4dead's avatar
1
left4dead
asked 2021-04-29 00:05:57 +0000, updated 2021-04-29 10:26:52 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

It would be nice if there was a frame.data field but that doesn't exist at this time.
frame_raw is not a field. It is a special case JSON format (print.c):

        // "-x" command line option. A "_raw" suffix is added to the json key so the textual value can be printed
        // with the original json key. If both hex and text writing are enabled the raw information of fields whose
        // length is equal to 0 is not written to the output. If the field is a special text pseudo field no raw
        // information is written either.

You asked for tshark. Here's something close with rawshark. The output will need to be cleaned up (grep/sed/awk/perl/python/...) so maybe a tossup whether this is better than the tshark output. From the rawshark man page: "Also note that the output may be in any order"

C:\>rawshark -s  -r - -d proto:frame -F frame.time_epoch -F frame < dhcp.pcap
0 FT_RELATIVE_TIME BASE_NONE - 1 FT_PROTOCOL BASE_NONE -
1 1="ff:ff:ff:ff:ff:ff:00:0b:82:01:fc:42:08:00:45:00:01:2c:a8:36:00:00:fa:11:17:8b:00:00:00:00:ff:ff:ff:ff:00:44:00:43:01:18:59:1f:01:01:06:00:00:00:3d:1d:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0b:82:01:fc:42:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:63:82:53:63:35:01:01:3d:07:01:00:0b:82:01:fc:42:32:04:00:00:00:00:37:04:01:03:06:2a:ff:00:00:00:00:00:00:00" 0="1102274184.317453000" -
Chuckc's avatar
3k
Chuckc
answered 2021-04-29 03:55:52 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Appreciate the quick response, Chuck. One additional point for my query is that I need to work with pcapng files. Updating my question accordingly.

I tried the command for both pcap and pcapng files and I see the following issue for both (of course, packet length value in error message varies):

0 FT_RELATIVE_TIME BASE_NONE - 1 FT_PROTOCOL BASE_NONE - 
rawshark: The standard input appears to be damaged or corrupt.
(Bad packet length: 544108393)
left4dead's avatar left4dead (2021-04-29 10:26:10 +0000) edit
more
  • delete

@left4dead, can you show your rawshark command line?

grahamb's avatar grahamb (2021-04-29 10:38:28 +0000) edit
more
  • delete

@grahamb The following is for a pcap file.

rawshark -s  -r - -d proto:frame -F frame.time_epoch -F frame < /Users/ab/Traces/VO41RegTD416SecureInstCertBrowsingIncogGmail/traffic.cap

Output:

0 FT_RELATIVE_TIME BASE_NONE - 1 FT_PROTOCOL BASE_NONE - 
rawshark: The standard input appears to be damaged or corrupt.
(Bad packet length: 1509949440)
left4dead's avatar left4dead (2021-04-29 10:53:52 +0000) edit
more
  • delete

What is the purpose of rawshark?
I'm not sure if there is enough interest in rawshark to add support for pcapng.
If python is an option, look at python-pcapng or scapy.

(There are fields for pcap_pktdata, file-pcap and file-pcapng but I didn't have any luck displaying them with tshark.)

Chuckc's avatar Chuckc (2021-04-29 12:45:06 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer